[65627] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: MTU path discovery and IPSec

daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Dec 3 18:33:37 2003

Date: Wed, 03 Dec 2003 15:32:43 -0800
From: Owen DeLong <owen@delong.com>
To: Valdis.Kletnieks@vt.edu, jgraun@comcast.net
Cc: nanog@merit.edu
In-Reply-To: <200312031639.hB3Gd9sL008142@turing-police.cc.vt.edu>
Errors-To: owner-nanog-outgoing@merit.edu


--==========764E3F108C8FE05E56F3==========
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline



--On Wednesday, December 3, 2003 11:39 AM -0500 Valdis.Kletnieks@vt.edu=20
wrote:

> On Wed, 03 Dec 2003 16:05:39 GMT, jgraun@comcast.net  said:
>
>> 1) I assume MTU path discovery has to been in enabled on each router in
>> the path in order for it work correctly?!
>
> Actually, no.  All that's required is that:
>
> a) The router handle the case of a too-large packet with the DF bit set =
by
> sending back an ICMP 'Dest Unreachable - Frag Needed' packet.  I've never
> actually encountered a router that didn't get this part right. (Has
> anybody ever seen a router botch this, *other* than a config error
> covered in (b) below?)
>
When you consider that most firewalls are technically routers (albeit
somewhat pathological routers), yes... Many firewalls fail to send back
the ICMP and silently drop the DF packet.

> b) said ICMP makes it back to the originating machine.  This is where all
> the operational breakage I've ever seen on PMTU Discovery comes from. And
> in almost all cases, one of two things is at fault.  Either some bonehead
> firewall admin is "blocking all ICMP for security" (fixable by
> reconfiguring the firewall to let ICMP Frag Needed error messages
> through), or some bonehead network provider numbered their
> point-to-points from 1918 space and the ICMP gets ingress/egress filtered
> (this one is usually not fixable except with a baseball bat).
>

Yep... Those are definitely the most common PMTU-D problems.

Owen



--=20
If it wasn't crypto-signed, it probably didn't come from me.

--==========764E3F108C8FE05E56F3==========
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iD8DBQE/znKfn5zKWQ/iqj0RAvK3AJ93txXYhHZqPGBr5ZuQkxlvFR5fsgCfV6V1
wfu81R1xj3s+n4RB6f2H2Ow=
=H6eh
-----END PGP SIGNATURE-----

--==========764E3F108C8FE05E56F3==========--


home help back first fref pref prev next nref lref last post